If the attacker can add an environment variable, they can add a command-line switch or about:config value or modify my firefox binary or install an addon that saves my password fields.
If I carelessly execute ~/Downloads/some-binary, my environment variables and config settings are now suspect , while overwriting my firefox binary requires root access.
As such, having the browser loudly warn (irrespective of settings) about such unsafe defaults is still vastly better.
As such, having the browser loudly warn (irrespective of settings) about such unsafe defaults is still vastly better.
Yes. Loudly. As in "surrounds entire window with a red frame with INSECURE TEST MODE ENABLED", not as in "pops up notification that quietly fades out".
Shellshock was a big deal because the attacker only needed to control the value of an environment variable, not its name. There are many vectors to provide a string that will end up stored in some environment variable, far fewer that will allow you to specify a particular name/value pair.
